Automatic room check-in upon detecting device identifier of new guest on network of hospitality establishment

ABSTRACT

A service controller includes a network interface for coupling to a local area network of a hospitality establishment, and one or more processors coupled to the network interface. The one or more processors are configured to detect a device identifier of a user device on a local area network of a hospitality establishment, determine whether a guest of the hospitality establishment is associated with the device identifier, and automatically activate a service for the user device at the hospitality establishment in response to detecting the device identifier on the local area network when a guest of the hospitality establishment is determined to be associated with the device identifier.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.14/833,112 filed Aug. 23, 2015, which is a continuation of U.S. patentapplication Ser. No. 13/874,515 filed May 1, 2013, which claims thebenefit of Canadian Patent Application No. 2,775,782 filed May 8, 2012.All of these applications are incorporated herein by reference.

BACKGROUND OF THE INVENTION Field of the Invention

The invention pertains generally to activating services for guests athospitality establishments. More specifically, the invention relates toautomatically checking in a new guest in response to detecting a userdevice associated with the new guest on a computer network of thehospitality establishment.

Description of the Related Art

Hospitality establishments such as hotels and resorts typically providehigh speed Internet access (HSIA) to guests. Often a hospitalityestablishment desires to provide guests with HSIA using a computernetwork installed on the premises but does not wish to design or supportthe network. In this situation, the hospitality establishment maycontract an external vendor to provide an HSIA solution.

An example of a vendor-provided HSIA solution is the One View Internet™(OVI) system by Guest-Tek™. To begin an HSIA session at a hotelemploying the OVI system, a guest connects a user device to the hotel'scomputer network, either through a physical cable such as Ethernet or awireless connection such as WiFi™, and opens a web browser to access awebsite on the Internet. Instead of allowing user devices immediateaccess to the Internet, the OVI system acts as a captive portal andrequires the guest to first log in at a predetermined login portal. Tothis end, a firewall controlling access between the local area network(LAN) of the hotel and the Internet includes a default rule that causesunauthorized user devices to display the login portal in the webbrowser.

At the login portal the guest signs up for Internet access. When theguest is an attendee of an event being held at the hotel such as ameeting or conference, the guest enters a meeting passcode known only toattendees of the event in order to sign in. The OVI system checks themeeting passcode entered by the user to determine whether it matchesthat of an active event currently being held at the hospitalityestablishment. When the guest is an individual staying at the hotel, theguest enters their room number and other personal details, selects adesired bandwidth level and other options such as access duration etc.,provides payment information, and performs other actions such asagreeing to terms and conditions. The OVI system only authorizes theuser device to access the Internet after the guest has successfullycompleted the login process at the login portal.

To authorize a particular user device for HSIA after the login processhas been completed, the OVI system adds a device-specific rule to thefirewall that allows data to flow between the Internet and the uniquemedia access control (MAC) address of the particular user device. Inthis way, only user devices from which guests of the hotel have properlylogged in at the login portal are provided HSIA.

However, some user devices brought to hotels are unable to be logged inat a web-based login portal because the devices either do not includeweb browsing technology or do not permit the guest to access the loginportal.

Examples of user devices that do not include web browsing technologyinclude standalone teleconferencing webcam appliances, routers, InternetProtocol (IP) telephones, and other IP-enabled devices that lack a userinterface capable of displaying the login portal or allowing the guestto enter the required login information. Because these devices are notcapable of utilizing the web-based login portal, they cannot be loggedin and do not gain Internet connectivity at the hotel.

Examples of user devices that do not permit the guest to access thelogin portal include locked-down corporate and military laptops andequipment that is configured to only connect with a designateddestination such as a fixed server address accessed via a company ormilitary virtual private network (VPN). Although these devices mayinclude web browsers that are technically capable of displaying a loginportal, due to security concerns, the device may be configured toactively ignore or block any attempts to cause the device to display thehotel's login portal. Typically the users of such devices have noadministrator rights to modify or override these security settings.Therefore, these devices also cannot be logged in at the login portaland do not gain Internet connectivity at the hotel.

When a guest is unable to log in from a particular user device at thelogin portal such as in the above-described situations, the guest needsto contact support staff to request that the user device be manuallycleared through the hotel's firewall in order to receive HSIA. Often theguest will not realize that manual intervention by support staff isrequired and may waste significant time attempting to troubleshoot thelack of Internet connectivity on their own. When the guest finally doescall technical support for assistance, the guest may not be ready toprovide support staff with the device's unique MAC address, which isrequired in order to manually add a device-specific exception allowingInternet access to the firewall. Helping the guest determine theirdevice's unique MAC address delays call center staff in resolving theproblem and moving onto a next support call.

Manual adjustment of firewall rules by support staff in order to givecertain user devices Internet access both increases the support costs ofthe hospitality establishment's HSIA system and negatively impacts theguest experience. It would be desirable to be able to automaticallyactivate the HSIA service for these devices.

iPass Incorporated offers the iPass Open Mobile Client™ that wheninstalled on a user device automatically logs in the user device uponarrival at an iPass-enabled hotspot or Internet access provider such asa hotel. However, in order for the iPass Open Mobile Client toautomatically log in a new user for Internet access, the user (or theuser's employer in the case of a corporate device) must have previouslysigned up for an iPass account and purchased an amount of Internetaccess in advance. The user must also have previously installed andconfigured the iPass Open Mobile Client software on their device, whichmay not be possible for devices unsupported by iPass's client softwareor for which the user does not have sufficient access rights to installsoftware (e.g., a locked-down corporate/military devices).

International Patent Publication No. WO2011005710 A2 discloses a systemthat allows zones and migration rules between the zones to be configuredwithin a hotel. When a rule is configured to allow migration from afirst zone to a second zone, guests already logged into the first zonemay migrate to the second zone without being forced to re-log in.However, this system still requires the user to first log in and gainaccess to an initial zone upon arrival at the hotel. Only after the userhas logged in from the initial zone will the system allow the user tomigrate to certain other zones in the hotel without being required tore-log in.

BRIEF SUMMARY OF THE INVENTION

According to an exemplary embodiment of the invention, a high speedInternet access (HSIA) service at a hospitality establishment such as ahotel is automatically activated for a particular guest's user deviceupon detecting the device identifier of the user device on the localarea network of the hospitality establishment. An advantage of thisembodiment is the guest may immediately access the Internet from theuser device upon arrival at the hospitality establishment withoutrequiring the guest to first log in at a login portal from the userdevice or preinstall special client software.

According to another exemplary embodiment of the invention a service fora particular guest of a hospitality establishment is automaticallyactivated in response to detecting on a local area network of thehospitality establishment a user device having a device identifierassociated with the particular guest.

According to another exemplary embodiment of the invention there isdisclosed a method including detecting a device identifier of a userdevice on a local area network of a hospitality establishment anddetermining whether a guest of the hospitality establishment isassociated with the device identifier. The method further includesautomatically activating a service for the user device at thehospitality establishment in response to detecting the device identifieron the local area network when a guest of the hospitality establishmentis determined to be associated with the device identifier.

According to another exemplary embodiment of the invention there isdisclosed a tangible computer-readable medium comprising computerexecutable instructions that when executed by a computer cause thecomputer to perform the above method.

According to another exemplary embodiment of the invention there isdisclosed a service controller including a network interface forcoupling to a local area network of a hospitality establishment, and oneor more processors coupled to the network interface. The one or moreprocessors are configured to detect a device identifier of a user deviceon the local area network of the hospitality establishment, determinewhether a guest of the hospitality establishment is associated with thedevice identifier; and automatically activate a service for the userdevice at the hospitality establishment in response to detecting thedevice identifier on the local area network when a guest of thehospitality establishment is determined to be associated with the deviceidentifier.

According to another exemplary embodiment of the invention there isdisclosed an apparatus comprising means for detecting a deviceidentifier of a user device on a local area network of a hospitalityestablishment, means for determining whether a guest of the hospitalityestablishment is associated with the device identifier, and means forautomatically activating a service for the user device at thehospitality establishment in response to detecting the device identifieron the local area network when a guest of the hospitality establishmentis determined to be associated with the device identifier.

According to another exemplary embodiment of the invention there isdisclosed a system including a service controller for detecting a deviceidentifier of a user device on a local area network of a hospitalityestablishment, and at least one database queried by the servicecontroller to determine whether a guest of the hospitality establishmentis associated with the device identifier. The service controllerautomatically activates a service for the user device at the hospitalityestablishment in response to detecting the device identifier on thelocal area network when a guest of the hospitality establishment isdetermined to be associated with the device identifier.

According to another exemplary embodiment of the invention there isdisclosed a method including detecting a device identifier of a userdevice in network traffic transmitted on a local area network of ahospitality establishment; determining that a service available at thehospitality establishment is not already activated for the user device;querying a reservation database of the hospitality establishment todetermine whether the detected device identifier matches a registereduser device associated with an active reservation of the hospitalityestablishment, wherein reservations of the hospitality establishmentstored in the reservation database may each be associated with one ormore registered user devices and are determined active according totheir respective start and end times in comparison with current time;and automatically activating the service for the user device when thedetected device identifier matches at least one registered user deviceassociated with at least one active reservation of the hospitalityestablishment.

According to another exemplary embodiment of the invention there isdisclosed a method including detecting a device identifier of a userdevice in network traffic transmitted on a local area network of ahospitality establishment; determining that a service available at thehospitality establishment is not already activated for the user device;querying a user profile database to find a particular user identifierthat is associated with the detected device identifier, wherein the userprofile database stores associations between one or more deviceidentifiers and one or more user identifiers; querying a guest databaseof the hospitality establishment to determine whether the particularuser identifier is associated with a current guest of the hospitalityestablishment, wherein the guest database of the hospitalityestablishment stores user identifiers of currently registered guests ofthe hospitality establishment; and automatically activating the servicefor the user device when the particular user identifier is associatedwith at least one current guest of the hospitality establishment.

According to another exemplary embodiment of the invention there isdisclosed a service controller including a network interface forcoupling to a local area network of a hospitality establishment; and oneor more processors coupled to the network interface. The one or moreprocessors are configured to detect a device identifier of a user devicein network traffic transmitted on the local area network; determine thata service available at the hospitality establishment is not alreadyactivated for the user device; query a reservation database of thehospitality establishment to determine whether the detected deviceidentifier matches a registered user device associated with an activereservation of the hospitality establishment, wherein reservations ofthe hospitality establishment stored in the reservation database mayeach be associated with one or more registered user devices and aredetermined active according to their respective start and end times incomparison with current time; and automatically activate the service forthe user device when the detected device identifier matches at least oneregistered user device associated with at least one active reservationof the hospitality establishment.

According to another exemplary embodiment of the invention there isdisclosed a service controller including a network interface forcoupling to a local area network of a hospitality establishment; and oneor more processors coupled to the network interface. The one or moreprocessors are configured to detect a device identifier of a user devicein network traffic transmitted on a local area network of thehospitality establishment; determine that a service available at thehospitality establishment is not already activated for the user device;query a user profile database to find a particular user identifier thatis associated with the detected device identifier, wherein the userprofile database stores associations between one or more deviceidentifiers and one or more user identifiers; query a guest database ofthe hospitality establishment to determine whether the particular useridentifier is associated with a current guest of the hospitalityestablishment, wherein the guest database of the hospitalityestablishment stores user identifiers of currently registered guests ofthe hospitality establishment; and automatically activate the servicefor the user device when the particular user identifier is associatedwith at least one current guest of the hospitality establishment.

According to another exemplary embodiment of the invention there isdisclosed a system including a reservation database storing reservationsof a hospitality establishment, wherein reservations of the hospitalityestablishment stored in the reservation database may each be associatedwith one or more registered user devices and are determined activeaccording to their respective start and end times in comparison withcurrent time; and a service controller coupled to the reservationdatabase. The service controller is operable to detect a deviceidentifier of a user device in network traffic transmitted on a localarea network of the hospitality establishment; determine that a serviceavailable at the hospitality establishment is not already activated forthe user device; query the reservation database to determine whether thedetected device identifier matches a registered user device associatedwith an active reservation of the hospitality establishment; andautomatically activate the service for the user device when the detecteddevice identifier matches at least one registered user device associatedwith at least one active reservation of the hospitality establishment.

According to another exemplary embodiment of the invention there isdisclosed a system including a user profile database storingassociations between one or more device identifiers and one or more useridentifiers; a guest database of a hospitality establishment storinguser identifiers of currently registered guests of the hospitalityestablishment; and a service controller coupled to the user profiledatabase, the guest database, and a local area network of thehospitality establishment. The service controller operable to detect adevice identifier of a user device in network traffic transmitted on thelocal area network of the hospitality establishment; determine that aservice available at the hospitality establishment is not alreadyactivated for the user device; query the user profile database to find aparticular user identifier that is associated with the detected deviceidentifier; query the guest database to determine whether the particularuser identifier is associated with a current guest of the hospitalityestablishment; and automatically activate the service for the userdevice when the particular user identifier is associated with at leastone current guest of the hospitality establishment.

According to another exemplary embodiment of the invention there isdisclosed an apparatus for controlling automatic check-in at ahospitality establishment. The apparatus includes a storage device, anetwork interface for coupling to a computer network of the hospitalityestablishment, and one or more processors coupled to the storage deviceand the network interface. By the one or more processors executing aplurality of software instructions loaded from the storage device, theone or more processors are configured to detect a device identifier of auser device in network traffic transmitted on the computer network ofthe hospitality establishment and query one or more databases of thehospitality establishment to determine whether the device identifier isassociated with a new guest registered for a particular room of thehospitality establishment. The one or more processors are furtherconfigured to send a room access key to the user device via the computernetwork in response to determining that the device identifier isassociated with the new guest registered for the particular room. Theroom access key allows the new guest registered for the particular roomto open a door lock of the particular room.

According to another exemplary embodiment of the invention there isdisclosed a method of automatic check-in at a hospitality establishment.The method includes detecting a device identifier of a user device innetwork traffic transmitted on a computer network of the hospitalityestablishment and querying one or more databases of the hospitalityestablishment to determine whether the device identifier is associatedwith a new guest registered for a particular room of the hospitalityestablishment. The method further includes sending a room access key tothe user device via the computer network in response to determining thatthe device identifier is associated with the new guest registered forthe particular room. The room access key allows the new guest registeredfor the particular room to open a door lock of the particular room.

According to another exemplary embodiment of the invention there isdisclosed a non-transitory processor-readable medium comprising aplurality of processor-executable instructions that when executed by oneor more processors cause the one or more processors to perform steps ofdetecting a device identifier of a user device in network traffictransmitted on a computer network of a hospitality establishment andquerying one or more databases of the hospitality establishment todetermine whether the device identifier is associated with a new guestregistered for a particular room of the hospitality establishment. Thesteps further include sending a room access key to the user device viathe computer network in response to determining that the deviceidentifier is associated with the new guest registered for theparticular room. The room access key allows the new guest registered forthe particular room to open a door lock of the particular room.

These and other embodiments and advantages of the invention will becomeapparent from the following detailed description, taken in conjunctionwith the accompanying drawings, illustrating by way of example theprinciples of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will be described in greater detail with reference to theaccompanying drawings which represent preferred embodiments thereof,wherein:

FIG. 1 shows a block diagram of a system for automatic serviceactivation at a hospitality establishment according to an exemplaryembodiment of the invention;

FIG. 2 shows an example set of authorized user devices stored in thedata storage device of FIG. 1.

FIG. 3 illustrates a flowchart showing the functionality of thegateway/firewall module of FIG. 1 resulting from the firewall rulesaccording to an exemplary embodiment of the invention.

FIG. 4 illustrates a flowchart describing how the service controller ofFIG. 1 automatically activates a service for a user device at ahospitality establishment according to an exemplary embodiment of theinvention.

FIG. 5 shows an exemplary user profile database of FIG. 1.

FIG. 6 shows an exemplary guest database of the hotel of FIG. 1.

FIG. 7 shows an example of the default HSIA service entitlements of FIG.1 based on a user type.

FIG. 8 shows an example of the default HSIA service entitlements of FIG.1 based on an initial zone of the hotel at which the user device islocated when the HSIA service is automatically activated.

FIG. 9 illustrates a user interface (UI) screen provided by the UImodule of FIG. 1 allowing modification of information stored in the userprofile database for an exemplary user.

FIG. 10 shows a flowchart describing steps performed by the servicecontroller of FIG. 1 upon user login at the hotel's web-based loginportal in order to automatically create or modify the user profilesettings for the user.

FIG. 11 illustrates how the user profile database of FIG. 1 may furtherstore service entitlements for different users at specific hospitalityestablishments.

FIG. 12 illustrates a flowchart of operations of the controller moduleof FIG. 1 expiring zone access for a particular user device according toan exemplary embodiment.

FIG. 13 illustrates a UI screen allowing an event organizer to adjust aset of event-specific network settings for a particular event as storedin a reservation database such as the guest database of FIG. 1.

FIG. 14 illustrates a method of determining whether a hotel guest isassociated with a particular device identifier by checking a reservationdatabase of the hospitality establishment.

FIG. 15 illustrates a guest-specific UI screen sent to a user deviceafter activating an automated check-in process according to anotherembodiment of the invention.

DETAILED DESCRIPTION

FIG. 1 shows a block diagram of a system 100 for automatic serviceactivation at a hospitality establishment according to an exemplaryembodiment of the invention. In this embodiment, the hospitalityestablishment is a hotel 101 and the system 100 automatically activatesa high speed Internet access (HSIA) service for certain user devices 102in response to detecting the media access controller (MAC) addresses ofthe user devices 102 on the hotel's LAN 104.

As shown in FIG. 1, a service controller 106 is coupled between thehotel's LAN 104 and the Internet 108. The service controller 106 in thisembodiment is a computer server including a first network interface 110coupled to the Internet 108 and a second network interface 112 coupledto the hotel's LAN 104. The service controller 106 further includes amodule storage device 114 and a data storage device 116, and each of thenetwork interfaces 110, 112 and storage devices 114, 116 are coupled toone or more processors 118. In the following description, the pluralform of the word “processors” will be utilized as it is common for acentral processing unit (CPU) of a computer server to have multipleprocessors (sometimes also referred to as cores); however, it is to beunderstood that a single processor may also be configured to perform thebelow-described functionality in other implementations.

The service controller 106 in this embodiment integrates and performs avariety of functions at the hotel 101. To allow the service controller106 to perform these functions, the module storage device 114 stores anumber of software modules for execution by the processors 118,including a controller module 120, a user interface (UI) module 122, agateway/firewall module 124, a property management system (PMS) module126, and a dynamic host control protocol (DHCP) module 128.

Briefly described, the controller module 120 controls the automaticactivation of services for particular user devices 102 at the hotel 101.The UI module 122 acts as a web server, allowing both guests and staffat the hotel 101 to receive information from, and in some cases interactwith, the service controller 106. The gateway/firewall module 124controls network traffic passed between the Internet 108 and the hotelLAN 104. The PMS module 126 manages property-specific details of thehotel 101 such as guest and event reservations, and room assignments.The DHCP module 128 assigns dynamic Internet Protocol (IP) addresses touser devices 102 as they are connected to the hotel's LAN 104.

The data storage device 116 stores data utilized by the processors 118when performing the functions of the various modules 120, 122, 124, 126,128. In this example, the data storage device 116 stores a set ofauthorized user devices 130 indicating to the controller module 120 theparticular user devices 102 for which the HSIA service has already beenactivated. A set of firewall rules 134 causes the gateway/firewallmodule 124 to prevent Internet access for unauthorized user devices 102according to a default rule, and includes a device-specific exception tothe default rule (i.e., one or more device-specific rules) allowingInternet access for each of the specific user devices 102 included onthe set of authorized user devices 130. A set of default HSIA serviceentitlements 132 are utilized by the controller module 120 whenautomatically activating the HSIA service for a particular user device102. Finally, the guest database 136 stores details of the currentguests, events, and room assignments of the hotel 101 for use by the PMSmodule 126. In this embodiment, a relational database is utilized tostore the guest database 136; however, the term “database” as utilizedin this description is meant to refer to any stored collection oforganized data.

A first user device 102 a is shown coupled to the hotel LAN 104 viaswitch 140 and a second user device 102 b is shown coupled to the hotelLAN 104 via an access point (AP) 142. Additionally, the hotel 101 isdivided into a number of zones 144 representing different physical areasof the hotel 101 and logical partitions of the LAN 104 in thisembodiment. In particular, each of the first and second zones 144 a,billustrated in FIG. 1 represent different physical areas such a lobbyarea, conference room area, guest room area, etc, and non-physicaldivisions such as a virtual local area network (VLAN) reserved foremployees of the hotel 101.

In the following description, the hotel 101 will be assumed to have thefollowing five zones 144: a lobby zone, a first conference room zone, asecond conference room zone, a guest rooms zone including all the guestrooms in the hotel 101, and a corporate zone being limited to onlyemployees of the hotel. Separate points of connection to the hotel LAN104 such as switches 140 and APs 142 may be employed for each zone 144in some embodiments.

As illustrated in FIG. 1, a user profile server 150 providing a userprofile database 152 is coupled to the hotel 101 via the Internet 108.The user profile database 152 stores a plurality of user profiles, eachuser profile associating one or more user identifiers such as loyaltyprogram member identifiers with one or more user device identifiers suchMAC addresses. As will be explained in more detail, the user profileserver 150 may further be coupled via the Internet 108 to a number ofdifferent hospitality establishments such as other hotels and resorts(not shown).

Various external web sites 160 are also shown coupled to the Internet108 in FIG. 1. These external web sites 160 correspond to various webservers on the Internet 108 that may be accessed by a user device 102 atthe hotel 101 after the HSIA service is activated for that user device102.

With respect to the HSIA service at the hotel 101, the set of authorizeduser devices 130 stored in the data storage device 116 specifies detailsof each user device 102 for which the HSIA service is currentlyactivated at the hotel 101. An example set of authorized user devices130 is illustrated in FIG. 2.

The set of authorized user devices 130 is utilized by the controllermodule 120 to both determine whether the HSIA service has already beenactivated for a newly connected user device 102, and to trigger anupdate of the firewall rules 134 when the HSIA service is to beautomatically activated for a new user device 102 or is to bedeactivated for an existing user device 102 when the user's accessentitlement for at least one zone 144 expires.

In this example, the set of authorized user devices 130 is stored as adatabase table having information for each individual user device 102stored in rows. For each user device 102, a device identifier column 200stores the unique MAC address of the user device, a user identifiercolumn 202 stores a loyalty program membership identifier associatedwith the MAC address as retrieved from the user profile database 152,and a plurality of zone access expiry columns 204 store the expiry timesfor this user device 102 in each of the various zones 144 available atthe hotel 101.

Taking the “MAC-2” user device 102 as an example, the HSIA service isactivated only from the hotel's lobby zone 144, and the HSIA service inthe lobby zone 144 for the “MAC-2” user device 102 will expire at“2011/10/11 16:32”.

In this way, each user device 102 as tracked by a device identifier suchas a unique MAC address may be authorized to access the Internet 108from a plurality of zones 144 within the hotel. Furthermore, accessentitlements from each zone are specific to each individual user device102. Having zone-specific access times for each user device 102 isbeneficial to allowed recent guests who are now checked out of theirrooms to lose access from the guest rooms zone 144 while still retaininganother X hours of access from the hotel lobby zone 144, for example.

FIG. 3 illustrates a flowchart showing the functionality of thegateway/firewall module 124 resulting from the firewall rules 134 inthis embodiment. The gateway/firewall module 124 couples the hotel LAN104 to the Internet 108 and acts to control the flow of data betweenthese two networks 104, 108. The gateway/firewall module 124 may alsoinclude other functionality such as network address translation (NAT),redirection server, and/or proxy server functionality; or thegateway/firewall module 124 may be replaced with or installed inaddition to one or more servers implementing these functions accordingto application-specific requirements. In the following description, theterms “gateway” and “firewall” will be utilized to collectively refer todevices that perform access control between different networks.

The firewall rules 134 in this embodiment include a default rule(generally corresponding to step 304 of FIG. 3) that preventsunauthorized user devices 102 from accessing the Internet 108.Unauthorized user devices 102 in this embodiment refers to bothunrecognized user devices 102 having device identifiers (e.g., MACaddresses) that are not included on the set of authorized user devices130 shown in FIG. 2, and user devices 102 having device identifiers thatare included on the set of authorized user devices but have passed thelimits of the zone access expiry times 204 or are not entitled to accessfrom the determined source zone.

In order to activate the HSIA service for each of the user devices 102that are included on the set of authorized user devices 130, thefirewall rules 134 are updated to include device-specific exceptions tothe default rule that authorize access to the Internet 108 from specificzones 144. Device-specific exceptions generally correspond to step 310in FIG. 3. When a change is made to the set of authorized user devices130 illustrated in FIG. 3, the processors 118 execute the controllermodule 120 in order to update the firewall rules 134 accordingly toreflect the change. Likewise, when the current time passes an expirytime in one of the zone access expiry columns 204, the controller module124 automatically updates the firewall rules to remove the correspondingdevice-specific rules and thereby de-authorize the affected userdevice(s) 102 from Internet access from the expired zones 144. After thefirewall rules 134 are updated, the results of the device-specificchecks at steps 302 and 308 may have different outcomes on a nextoccurrence of outgoing network traffic.

The steps of the flowchart of FIG. 3 are not restricted to the exactorder shown, and, in other embodiments, shown steps may be omitted orother intermediate steps added. In this embodiment the processors 118execute the gateway/firewall module 124 in order to cause the servicecontroller 106 to perform the following illustrated steps.

At step 300, the gateway/firewall module 124 receives outgoing networktraffic from a user device 102. For example, the outgoing networktraffic may be a request by a user device 102 at the hotel 101 toestablish a connection with an IP address corresponding to an externalwebsite 160 on the Internet 108. To ensure the gateway/firewall module124 receives all outgoing network traffic at this step, the servicecontroller 106 may be set as the default gateway for the user device 102during a DHCP process previously performed by the DHCP module 128 (e.g.,performed upon connection of the user device 102 to the hotel LAN 104).

At step 302, the gateway/firewall module 124 determines whether or notthe device ID of the user device 102 (e.g., the device's MAC address inthis embodiment) is recognized. The MAC address is deemed recognizedwhen it is listed on the set of authorized user devices 130 and/or hasone or more corresponding device-specific exceptions included in thefirewall rules 134. When the MAC address is recognized, control proceedsto step 306; otherwise, the user device 102 that sent the networktraffic received at step 300 is deemed unauthorized and control proceedsto the default rule at step 304.

At step 304, the gateway/firewall module 124 by default drops theoutgoing network traffic in order to prevent unauthorized user devices102 from accessing the Internet 108. In a preferred embodiment, thegateway/firewall module 124 further forces the unauthorized user device102 to display a predetermined login portal of the hotel 101. Hypertexttransfer protocol (HTTP) redirection techniques may be utilized at thisstep to redirect the user device's web browser to the address of thelogin portal rather than that of the user's desired external web site160. Additionally, U.S. patent application Ser. No. 13/402,198 namingcommon inventor David Ong and filed Feb. 22, 2012 describes techniquesof causing a user device 102 to display a predetermined login portalwithout requiring a browser redirection message.

At step 306, the gateway/firewall module 124 determines the source zone144 from which the network traffic originated in order to determinewhere in the hotel 101 the user device 102 is currently located. In apreferred embodiment, this step is passively performed while checkingthe access entitlements at step 308 because the network traffic receivedat step 300 already identifies the source zone. For example, in oneimplementation virtual local area network (VLAN) tags are utilized tospecify the source zone 144 from which network traffic originated.Specifically, the switches 140 in a first zone 144 a place networktraffic on a VLAN corresponding to the first zone 144 a, and the APs 142in a second zone 144 b place network traffic on a different VLANcorresponding to the second zone 144 b. Therefore, the gateway/firewallmodule 124 can determine the source zone by mapping the VLAN tag of thenetwork traffic received at step 300 to its corresponding zone 144.

In another implementation, the DHCP module 128 on the hotel LAN 104assigns IP addresses to user devices 102 according to predeterminedaddress ranges corresponding to different zones 144. For example,devices that connect to the first zone 144 a receive an IP address in afirst range while devices 102 that connect to the second zone 144 areceive an IP address in another, different range. Therefore, thegateway/firewall module 124 can determine the source zone by mapping thesource IP address of the network traffic received at step 300 to itscorresponding zone 144.

Determining the source zone passively such as utilizing VLAN tag or IPaddress is beneficial because this may be done as a part of checking tosee if the received network traffic matches one of firewall rules 134.No explicit determination of source zone is required thereby simplifyingthe functionality of the gateway/firewall 134.

In other embodiments, determining the source zone may be done activelyat step 306 such as by tracing back through the hotel LAN 104 usingsimple network management protocol (SNMP) messages in order to determinethe source switch/port combination from which the packets with the MACaddress of the user device 102 was originally received. By looking upthis source switch/port combination on a switch-port-to-zone mappingtable, the source zone can be determined. In another example, each AP142 in the hotel 101 may be within range of only a single zone such aswhen each guest room of the hotel 101 has its own AP 142. Therefore, bydetermining the originating AP 142, the service controller 106 candetermine the source zone at which the user device 102 is currentlylocated. In yet another example, the zones 144 may correspond todifferent SSIDs; therefore, by determining the SSID to which the userdevice 102 is associated the service the service controller 106 candetermine the source zone at which the user device 102 is currentlylocated.

Combinations of the above-described techniques may be utilized todetermine the source zone in other embodiments.

At step 308, the gateway/firewall module 124 determines whether networktraffic from this MAC address is allowed to be passed to the Internet108 from the source zone 144. Assuming zones are indicated with VLANtags and taking the user device 102 having “MAC-5” as its MAC address incolumn 200 of FIG. 2 as an example, there may be two device-specificexceptions in the firewall rules 134: a first exception entitling the“MAC-5” user device 102 to access the Internet 108 when the VLAN tagcorresponds to the “Lobby” zone 144, and a second exception entitlingthe “MAC-5” user device 102 to access the Internet 108 when the VLAN tagof the received network traffic correspond to the “Conference room B”zone 144. Therefore, when the network traffic received at step 300matches either of these two rules, control proceeds to step 310.Alternatively, when the network traffic received at step 300 is from the“MAC-5” user device 102 but the VLAN tag corresponds to another sourcezone 144 other than “Lobby” or “Conference room B”, the user device 102is deemed unauthorized and control proceeds to the default rule at step304.

At step 310, the gateway/firewall module 124 passes the network trafficreceived at step 300 to the Internet 108. This step may be performed bythe processors 118 transmitting the network traffic packets on theInternet 108 via the first network interface 110.

Although not illustrated, the gateway/firewall module 124 may alsoperform control functions for incoming network traffic from the Internet108 to the hotel LAN 104. In a preferred embodiment, thegateway/firewall module 124 only allows traffic to pass from theInternet 108 to the hotel LAN 104 for connections that are alreadyopened as initiated by a user device 102 on the hotel LAN 104. However,other control functions for incoming network traffic may be employed inother configurations according to application specific requirements. Forexample, certain user devices 102 may be authorized to act as serversand therefore be able to receive connection requests initiated bydevices on the Internet 108.

FIG. 4 illustrates a flowchart describing how the service controller 106automatically activates a service for a user device 102 at a hospitalityestablishment according to an exemplary embodiment of the invention. Thesteps of the flowchart are not restricted to the exact order shown, and,in other embodiments, shown steps may be omitted or other intermediatesteps added. In this embodiment, the processors 118 execute thecontroller module 120 in order to cause the service controller 106 toperform the following top-level steps:

Step 400: Detect a device identifier of a user device 102 on the hotelLAN 104.

Step 402: Determine whether the service in question has already beenactivated for this user device 102.

Step 404: When the service has not already been activated for this userdevice, determine whether a guest of the hotel 101 is associated withthe device identifier.

Step 406: In response to determining that a guest of the hotel 101 isassociated with the device identifier, automatically activate theservice for the user device 102.

As illustrated in FIG. 4, in an advantageous application of thisembodiment of the invention the device identifier is the MAC address ofthe user device 102 and the service in question is the HSIA service atthe hotel 101.

At step 410, the controller module 120 monitors network traffic on thehotel LAN 104 for DHCP messages, for example, DHCPdiscover/offer/request/acknowledgement etc., that are transmitted aftera new user device 102 is first connected. Typical user devices 102 willutilize DHCP to configure themselves for the hotel LAN 104 uponconnection (either wired or wireless) by immediately broadcasting DHCPmessages. The DHCP module 128 (or another DHCP server on the hotel LAN104) responds to the newly connected user device 102 with variousinformation such an IP address for use by the user device 102, a defaultgateway IP address for use by the user device 102 when sending networktraffic to destinations off a local subnet, and a netmask settingallowing the user device 102 to determine which destination addressesare off the local subnet. Regardless of whether the DHCP module 128 (oranother DHCP server) is located within or external to the servicecontroller 106, because the DHCP messages are broadcast on the hotel LAN104, the controller module 120 is able to receive the DHCP messages.

At step 412, the controller module 120 determines the MAC address of thenewly connected user device 102 from the received DHCP messages. Forexample, the field “CHADDR” (Client Hardware Address) in the DHCPmessage received at step 410 indicates the MAC address of the newlyconnected user device 102.

At step 414, the controller module 120 checks the set of authorized userdevices 130 and/or the firewall rules 134 stored in the data storagedevice 116 to determine whether the newly connected user device 102 isalready recognized locally. When a user device 102 is recognizedlocally, the user device's MAC address will be listed on the set ofauthorized user devices 130 and the firewall rules 134 stored in thedata storage device 116. When the controller module 120 finds the MACaddress already listed at one of these locations, the user device isdetermined to already be recognized and control proceeds to step 416;otherwise, the user device 102 is determined to be unrecognized andcontrol proceeds to step 418.

At step 416, the controller module 120 takes no further action for thislocally recognized user device 102 because the hotel's firewall rules134 are already configured for this user device 102. As illustrated inFIG. 3, the gateway/firewall module 124 will follow the firewall rules134 in order to either allow or deny access to the Internet 108 for thisuser device 102 according to the various device-specific zone accessexpiries 204 shown in the set of authorized user devices 130. In thisway, a guest of the hotel may disconnect and reconnect their user device102 to the hotel LAN 104 any number of times without affecting theiralready activated HSIA service.

At step 418, the controller module 120 queries the user profile database152 to determine whether there is a user identifier (ID) that isassociated with the MAC address detected at step 412. As shown in FIG.1, the user profile database 152 in this embodiment is stored remote tothe hotel 101 at a central user profile server 150. Therefore, this stepmay be performed by the processors 118 sending and receiving networkpackets to/from the user profile server 150 via the first networkinterface 110 and the Internet 108.

FIG. 5 shows an exemplary user profile database 152. In this example,the user profile database 152 associates each of a plurality ofdifferent user identifiers (IDs) in column 500 with one or more deviceidentifier (e.g., MAC addresses in this embodiment) in column 502. Asshown, each user ID may be associated with multiple MAC addresses suchas when a single user owns multiple user devices 102 such as computersand mobile phones. For example, “User-C” is shown in FIG. 5 associatedwith “MAC-3” and “MAC-4”. In this way, the MAC address of each theuser's devices may be associated with the user's ID. Additionally, asingle MAC address may be associated with multiple user IDs, forexample, “MAC-1” shown in FIG. 5 is associated with “User-A” and“User-F”. This may be the case when multiple users share a single devicesuch as a corporate loaner laptop that may be provided as needed todifferent employees for travel.

Returning again to the description of FIG. 4, at step 420, when thedetected MAC address is not associated with any user identifiers (IDs)in the user profile database 152, control proceeds to step 422.Otherwise, when the detected MAC address is associated with one or moreuser identifiers (IDs) in the user profile database 152, the particularuser identifiers (IDs) are retrieved from the user profile database andcontrol proceeds to step 424.

At step 422, the controller module 120 takes no further action for thisunknown user device 102 because, as already explained with reference tothe operation of the gateway/firewall module 124 shown in FIG. 3, thehotel's gateway/firewall module 124 by default causes unauthorized userdevices 102 to display the hotel's predetermined login portal at step304.

At step 424, the controller module 120 queries the guest database 136 ofthe hotel 101 to determine whether a current guest of the hospitalityestablishment is associated with any of the particular user identifiers(IDs) found associated with the detected MAC address at step 420.

FIG. 6 shows an exemplary guest database 136 of the hotel 101. In thisexample, the guest database 136 is the PMS database used by the PMSmodule 126 for room assignment at the hotel 101. A room number column604 indicates the particular guest room and a user identifier (ID)column 604 indicates the user ID of the guest currently registered forthat room, with vacant rooms having a “-” in column 604.

In a preferred embodiment, the user identifiers (IDs) in column 500 ofFIG. 5 and column 604 of FIG. 6 are loyalty program member identifiersrecognized by the hotel 101. A unique user ID is assigned to each guestparticipating in the hotel's loyalty program such by issuing the guestwith a membership card having the user identifier printed thereon. Whena guest makes a reservation or when checking into the hotel 101, theguest will provide the hotel 101 with the user's personal useridentifier (e.g., loyalty program member identifier), which isthereafter stored in the guest database 136 of the hotel 101 as beingassociated with the room that is registered to the guest. Discounts orother benefits may be applied to loyalty program members to encourageguests to register their loyalty numbers upon reservation or check-in.

Utilizing loyalty program member identifiers as the user identifiers isbeneficial to ensure each guest has a unique user identifier. However,other types of user identifiers may also be utilized in conjunction withthe invention. For example, combinations of a user's personalidentification information provided to the hotel upon reservation orcheck-in (name, age, phone #, credit card information, passport number,username, password, etc) may also be utilized in other embodiments.

Returning again to the description of FIG. 4, at step 426, when acurrent guest of the hotel 101 is associated with one of the particularuser identifiers determined at step 418, control proceeds to step 428 tobegin automatically activating the HSIA service for the newly connecteduser device 102. Otherwise, when no current guest of the hotel isassociated with any of the particular user identifiers determined atstep 418, the users associated with these user identifiers (IDs) are notcurrent guests of the hotel 101. Therefore, the HSIA service is notautomatically activated for the user device 102 and control returns tostep 422.

At step 428, the controller module 120 automatically activates the HSIAservice at the hotel for the newly connected user device by configuringthe firewall rules 134 at the hotel to allow traffic to flow between theMAC address of the user device 102 and the Internet 108.

Activating the HSIA service in this embodiment involves adding a row forthe newly authorized user device 102 to the set of authorized userdevices 130 and then updating the firewall rules 134 accordingly. Thenew row includes the MAC address determined at step 412 in the device IDcolumn 200 and the particular user ID determined as a result of step 426in the user ID column 202. As for the zone access expiries in columns204, these are set according to either a user-specific policy obtainedfrom the user profile database 152 and/or guest database 136, oraccording to the default HSIA service entitlements 132 of the hotel 101in various exemplary embodiments.

FIG. 7 shows an example of default HSIA service entitlements 132 basedon a user type. In this configuration, when the HSIA service isautomatically activated for a new user device 102, the user device's MACaddress is given zone access expiries in column 204 according the typeof the guest associated with the user ID. To determine the guest type,the controller module 140 receives user information associated with theuser identifier.

In one configuration, the user information is retrieved from the userprofile database 152. For example, the user profile database 152 mayassociate each unique user ID with a user type value of either “RegularUser” or “VIP” (an example of such an association is shown later in FIG.9). Again, utilizing the example that the user IDs correspond to loyaltyprogram member identifiers, some users may be entitled to VIP status asa result of frequent stays at the hotel, for example.

In another configuration, the controller module 120 retrieves the userinformation associated with the user identifier from the hotel's guestdatabase 136 (e.g., hotel's PMS database in some embodiments). Forinstance, some rooms of the hotel 101 may be higher priced and thereforebestow VIP status to any user registered in that room for the durationof their stay.

Once the user information associated with the user identifier isretrieved, the controller module 120 automatically activates the HSIAservice for the user device at the hotel with a service entitlement setaccording to the user information. With reference to FIG. 7, when theuser information specifies the user is a “Regular user”, the controllermodule 120 sets the zone access expiries in column 204 so that the userdevice will receive Internet access from the lobby zone 144 for 48 hoursand from the guest rooms zone 144 for 24 hours. Alternatively, when theuser information specifies the user is a “VIP”, the controller module120 sets the zone access expiries in column 204 so that the user devicewill further receive 24 hours of Internet access from other zones 144 inthe hotel such as the conference rooms and coffee shop zones 144. Thecontroller module 120 then updates the firewall rules 134 according tothe new row in the set of authorized user devices 130 and the HSIAservice is thereby activated for the newly connected user device 102with a service entitlement set according to user information.

FIG. 8 shows an example of default HSIA service entitlements 132 basedon an initial zone 144 of the hotel 101 at which the user device 102 islocated when the HSIA service is automatically activated. In order todetermine the initial zone required in this embodiment, the controllermodule 120 may utilize any of the techniques previously described fordetermining the source zone at step 306. As the automatic HSIA serviceactivation process shown in FIG. 4 will generally proceed very quicklyfrom step 410 to step 428, the first time the controller module 120determines the zone at which the user device 102 is currently located,this will generally correspond to the initial zone from which the userdevice 102 was connected to the hotel LAN 104.

As shown in FIG. 8, each initial zone in column 800 has a unique set ofzone access time entitlements in columns 802. The controller module 120therefore sets the zone access expiries in column 204 of the set ofauthorized user devices 130 for the new user device 102 according to theentitlements of the determined initial zone, and updates the firewallrules 134 accordingly. The HSIA service is thereby activated for thenewly connected user device 102 with a service entitlement set accordingto the initial zone at which the user device 102 is located when theservice is automatically activated.

Returning again to the description of FIG. 4, at step 430, thecontroller module 120 updates login statistics for the HSIA users at thehotel 101. For instance, each time the HSIA service is automaticallyactivated for a newly connected user device 102, the controller module120 may update various HSIA statistics such as those related to thecurrently logged in users (tracked by user IDs) and the user devices 102in use by each user (tracked by MAC addresses). A new user login countermay be incremented each time step 430 is reached. In this way, hotelstaff or other administrators may track HSIA usage by the hotel 101guests even though there is no manual login process performed at thehotel's web-based login portal when the HSIA service is automaticallyactivated for some user devices 102 at step 428.

An advantage of automatically activating the hotel's HSIA serviceaccording to the embodiment shown in FIG. 4 is that certain user devices102 may immediately access the Internet 108 upon connection to the hotelLAN 104 without requiring the user device to access a web-based loginportal and without requiring a user to make changes to the configurationof the user device 102.

Regarding control of which user devices 102 will have the HSIA serviceautomatically activated, FIG. 9 illustrates a UI screen 900 provided bythe UI module 122 allowing modification of information stored in theuser profile database 152 for an exemplary user. In this embodiment,each guest of the hotel 101 may access UI screen 900 being a webpage inorder to modify the device identifiers associated with their userprofile.

As shown in FIG. 9, each user may have any number of user devices 102associated with their user profile account. User device names are listedin column 900 with each user device's corresponding device identifier(e.g., MAC address) shown in column 902. These fields are editable bythe user, and the user may add new user devices or remove user devicesto their user profile at any time.

The UI screen 900 further allows each guest of the hotel 101 to modifythe user identifiers associated with their account. As shown in FIG. 9,the user identifiers associated with the account in this example are allthe various loyalty program membership numbers utilized by the user atdifferent hospitality establishments. Each hospitality establishment islisted in column 910 with the user's corresponding loyalty programmember identifier and user type listed in columns 912 and 914,respectively. In some embodiments, the user may be able to freely adjustthe loyalty numbers in column 912, but may need to perform an upgradeprocess by clicking an “upgrade” button 920 in order to upgrade tohigher user type at a particular hospitality establishment in column914. For example, the upgrade process may involve a payment.

In addition to the UI module 124 within the service controller 106 atthe hotel 101, the user profile server 150 may also be configured toprovide web-based access to UI screen 900. In this way, any user mayaccess their user profile UI screen 900 from any location over theInternet 108.

Before accessing UI screen 900, users may need to authenticatethemselves to either the UI module 124 or the user profile server 150such as by entering a username/password combination. Additionally, staffat the hotel 101, call center support staff, and administrators of theuser profile server 150 may be able to access the UI screen 900 for anyuser account in order to assist users when required.

An exemplary use case scenario of this embodiment proceeds as follows: Auser creates a user profile on the user profile server 150. Byinteracting with UI screen 900, the user stores on their user profilethe MAC addresses of the electronic devices 102 they will bring to thehotel 101 and for which they want to have the HSIA service automaticallyactivated, and stores the loyalty program number identifiers belongingto the user at the hospitality establishments at which the user will bea guest. The user then travels to any of the listed hospitalityestablishments and connects any of the listed user devices 102 to thelocal LAN 104 available at the hospitality establishment.

The newly connected user device 102 utilizes DHCP in order to obtain anIP address on the LAN 104 and the process shown in FIG. 4 begins at step410. At step 418, the service controller 106 at the hospitalityestablishment queries the user profile database 152 in order todetermine whether the MAC address of the connected user device isassociated with a loyalty program member identifier specific to thathospitality establishment.

In some embodiments, each hospitality establishment has a unique siteidentifier and this information may be utilized when querying the userprofile database 152 in order to obtain the loyalty program memberidentifier associated with the MAC address at the specific hospitalityestablishment where the MAC address was detected.

For example, with reference to FIG. 9, when the user is staying at the“Galactic Hotel (4)”, the MAC address of the user's mobile phone(“00-E4-A1-32-C3-39”) is determined to be associated with useridentifier “122-32-2345”. Alternatively, when the user is staying at the“Beaches Resort (135)”, the same MAC address of the user's mobile phone(“00-E4-A1-32-C3-39”) is determined to be associated with a differentuser identifier “5E3DA7”. The user may thereby travel to differenthospitality establishments having different types of the loyalty programmember identifiers, and the user's various user devices are recognizedand correlated to the user's respective user identifier as employed ateach of the different hospitality establishments.

After determining a user identifier associated with the MAC address, theservice controller 106 at the hospitality establishment then queries theguest database 136 of the hospitality establishment to determine if theuser identifier is associated with a guest of the hospitalityestablishment. When at least one of the current guests of thehospitality establishment is associated with the determined useridentifier, the service controller 106 automatically activates the HSIAservice at the hospitality program for the newly connected user device102 at step 428.

Because the automatic service activation process of FIG. 4 begins inthis embodiment upon receiving a DHCP message containing the userdevice's MAC address, the HSIA service activation at step 428automatically occurs soon after the connection of the user device 102 tothe LAN 104. Therefore, the user is generally able to access externalwebsites 160 on the Internet 108 immediately after connection to thehotel LAN 104. In the event that the user device 102 requests anexternal website 160 before the firewall rules 134 are updated toactivate the HSIA service for the user device 102 and is thereforeblocked at step 304, upon a subsequent retry of the connection requestby the user device 102, the firewall rules 134 will have been updatedand the connection request will succeed. Delay to the user is therebyminimized in this embodiment by triggering the start of the automaticservice activation process of FIG. 4 with the detection (at step 410) ofan unrecognized MAC address in a DHCP message on the LAN 104.

In some embodiments, the service controller 106 automatically adds thedevice identifier of a particular user device 102 to the user's profilewhen the user utilizes the user device 102 at the hospitalityestablishment.

FIG. 10 shows a flowchart describing steps performed by the servicecontroller 106 upon user log in at the hotel's web-based login portal inorder to automatically create or modify the user profile settings forthe user. The steps of the flowchart of FIG. 10 are not restricted tothe exact order shown, and, in other embodiments, shown steps may beomitted or other intermediate steps added. In this embodiment theprocessors 118 execute the controller module 120 in order to cause theservice controller 106 to perform the illustrated steps.

At step 1000, user login to the hospitality establishment is initiatedsuch as performed by the gateway/firewall module 124 causing anunauthorized user device 102 to display a predetermined login portal atstep 304 of FIG. 3.

At step 1002, the guest signs up for Internet access at the loginportal. In order to authenticate the user as a part of the loginprocess, user authentication information is received from the userdevice 102. When the guest is an individual staying at the hotel, theguest enters their room number and payment information. As a part ofauthentication, the control module 120 determines the user identifiercorresponding to the received user authentication information. Thecontroller module 120 then queries the guest database 136 of thehospitality establishment as illustrated in FIG. 6 in order to determinethe user identifier corresponding to the user registered in the roomnumber entered by the user during the login process. If the user is notassociated with a user identifier such as when the user is not currentlya member of the hotel's 101 loyalty program, the user may be offered tojoin the loyalty program and assigned to a new user identifier (e.g.,loyalty program membership identifier) at this step.

At step 1004, the controller module 120 detects the user identifier(i.e., MAC address) of the user device 102. This may be done by directpacket inspection when the packets received from the user device 102include the MAC address, or by querying an intermediate switch 140 oraccess point 142 to determine the MAC address associated with the userdevice's IP address when the packets received from the user device 102only include its IP address.

At step 1006, the controller module 120 adds a row to the set ofauthorized user devices 130 and updates the firewall rules 134 toinclude one or more corresponding device-specific rules that allow datato flow between the Internet and the unique media access control (MAC)address of the particular user device 102 for the authorized zones 144.In this way, the HSIA service is activated for the user device after theuser has logged in at the login portal.

At step 1008, the controller module 120 updates the login statistics ofthe HSIA users at the hotel 101 due to the new user logging in. This maybe similar to as previously described for updating the statistics afterthe HSIA service is automatically activated for a user device at step430 of FIG. 4.

At step 1010, the controller module 106 associates in the user profiledatabase 152 the device identifier of the user device detected at step104 with the corresponding user identifier determined (or newlyassigned) at step 1002. In this way, after a user has logged in from aparticular user device 102 at the hotel's login portal such as offeredby the UI module 122, the central user profile database 152 isautomatically updated to contain a mapping between the device's MACaddress and the user's ID. In the future, the guest may continue usingthe same user device 102 (e.g, having the same MAC address deviceidentifier) at the same or other hospitality establishments served bythe user profile server 150. At each hospitality establishment, the userdevice 102 will be automatically logged in to the network and the HSIAservice automatically activated by following the process of FIG. 4. Inthis way, the user's device MAC address is automatically registered inthe user's profile without requiring the user to manually update theiruser profile in the user profile database 152.

Other information may also be stored within the user profile database152 in some embodiments. For example, FIG. 11 illustrates how the userprofile database 152 further stores service entitlements for differentusers at specific hospitality establishments. This user information maybe retrieved from the user profile database 152 and utilized at step 428in order to automatically activating the HSIA service at specifichospitality establishment identified according to its site ID 1100 atstep 428 of FIG. 4.

FIG. 12 illustrates a flowchart illustrating operations of thecontroller module 120 expiring zone access for a particular user device102 according to an exemplary embodiment. The steps of the flowchart ofFIG. 12 are not restricted to the exact order shown, and, in otherembodiments, shown steps may be omitted or other intermediate stepsadded. In this embodiment the processors 118 execute the controllermodule 120 in order to cause the service controller 106 to perform theillustrated steps.

The process begins at step 1200 when the controller module 120determines that the zone access expiry time in column 204 of the set ofauthorized user devices 130 in FIG. 2 has been reached. Alternatively,the process may begin at this step when the PMS at the hotel 101 (e.g.,the PMS module 126 in FIG. 1) sends a checkout message to the controllermodule 120 informing the controller module 120 that a guest of aparticular guest room as now checked out of the guest room. In yetanother example, the process may start when a current event such as ameeting or conference or a guest reservation at the hotel ends.

At step 1202, the controller module 120 updates the user profiledatabase 152 to remove the expired zone access times if required. Forexample, when all zone access times for a particular user at aparticular site ID are now expired, the row for this particular site IDas depicted in FIG. 11 may be deleted from the user profile database152.

At step 1204, the controller module 120 updates the set of authorizeduser devices 130 according to the expired zone access (similar to step1202, when a particular user device 102 is no longer authorized forInternet access from any zone such as illustrated for the “MAC-1” userdevice 102 in FIG. 2, the corresponding row may be deleted from the setof authorized user devices 130). The controller module 120 then updatesthe firewall rules 134 to remove the device-specific exceptions for theuser device for the expired zones 144 of the hotel 101.

FIG. 13 illustrates a UI screen 1300 allowing an event organizer toadjust a set of event-specific network settings for a particular eventas stored in a reservation database such as the hotel's PMS (illustratedin FIG. 1 as the guest database 136). In this example, the UI screen1300 is a web page screen generated by the processors 118 executing theUI module 122. The UI module 122 further configures the processors 118to send hypertext markup language (HTML) for the UI screen 1300 to anauthorized destination via the network interface 112. The servicecontroller 106 may thereby behave as a web server allowing eventorganizers, hotel staff, or other users to make event reservations andconfigure different sets of event-specific network settings fordifferent events at the hotel 101. According to user selections andinput made on the UI screen 1300 for a particular event, the processors118 store the specified set of event-specific network settings in theguest database 136.

As illustrated in the bottom portion of the UI screen 1300, theregistered device settings allow the event organizer (or hotel staff) toconfigure any number of specific registered user devices for the event.In this example, two registered user devices (e.g., a printer and ateleconferencing webcam) are shown on separate rows of the registereddevice settings of UI screen 1300. For each registered user device 102,the UI screen 1300 allows a number of device-specific network settingsto be configured for the particular event (e.g., one device-specificnetwork setting per column in UI screen 1300).

The device name setting 1302 provides a human-readable description toidentify the registered user device. The MAC address setting 1304represents the device identifier of the registered user device andallows the event organizer to input the unique MAC address of theregistered user device. The auto login setting 1306 allows the eventorganizer to specify that the hotel's HSIA service should beautomatically activated for the user device upon detection of its MACaddress on the hotel LAN 104 during the event. Although the event mayrequire other user devices to be redirected to a login page beforeactivating the HSIA service during the event, registered user deviceshaving the auto login setting 1306 enabled will be granted Internetaccess upon connection to the LAN 104 without requiring the device to beredirected to the login page. The device-specific bandwidth limitssettings 1308 allow the event organizer to allocate a specific bandwidthcap and/or rate to the registered user device. The HSIA service will beautomatically activated with these service entitlements.

FIG. 14 illustrates a method of determining whether a hotel guest isassociated with a particular device identifier by checking a reservationdatabase of the hospitality establishment. In some embodiments, step 414of FIG. 4 may be replaced with (or further include) the steps shown inFIG. 14. The steps of the flowchart are not restricted to the exactorder shown, and, in other embodiments, shown steps may be omitted orother intermediate steps added. In this embodiment, the processors 118execute the controller module 120 in order to cause the servicecontroller 106 to perform the following illustrated steps.

At step 1400, the controller module 120 queries a reservation databaseof the hospitality establishment such as guest database 136 to determinewhether a device identifier detected on the hotel's LAN 104 isassociated with an active reservation of the hospitality establishment.In this example, the device identifier is a MAC address in a DHCPmessage broadcast on the hotel LAN 104 upon connection of the userdevice to the hotel LAN 104. Taking the exemplary medical conferenceevent illustrated in FIG. 13 as an example, this reservation will bedeemed to be an active reservation after the reservation's specifiedstart-time has been reached and before the reservation's end-time hasbeen reached. During this time period, the MAC address(“09:A1:47:12:EF:31”) of the teleconferencing webcam 1322 will be deemedto be associated with the event in the context of the HSIA servicebecause the auto login setting 1306 for webcam 1322 is enabled.

At step 1402, when the controller module 120 determines that the deviceidentifier is associated with an active reservation, control proceeds tostep 428; otherwise, the user device is deemed unauthorized and controlproceeds to step 1404. For example, when the MAC address 1304 of ateleconferencing web cam 1322 is detected on the hotel LAN 104 while thereservation is active (e.g., after the reservation's start-time has beenreached and before the reservation's end-time has been reached), controlproceeds to step 428 to automatically activate the HSIA service for theuser device with a 5 Mbit/s bandwidth cap and rate service entitlementto ensure sufficient video quality during the event. Other serviceentitlements such as assigning the user device with a specific public IPaddress may be included as illustrated.

Rather than an event reservation as illustrated in FIG. 13, in anotherexample, the controller module 120 at step 1400 queries the guestdatabase 136 of the hotel 101 to determine whether the device identifierdetected on the hotel's LAN 104 is associated with a guest'sreservation. Guests may specify in their reservation one or more MACaddresses for which HSIA is to be automatically activated at the hotel101. Thereafter, when the specified MAC addresses are detected on thehotel LAN 104 while the reservation is active (i.e., within apredetermined time period spanning the time the guest is to check-in andcheck-out of the hotel 101), the result of step 1402 is “yes” andcontrol proceeds to step 428 to automatically activate the HSIA servicefor the user device 102.

Although an active reservation in the above embodiments is defined ashaving reached its start-time but not yet reached its end-time, in otherembodiments, a reservation may also be deemed active when the currenttime is within a predetermined duration before the start-time of thereservation has been reached and within a predetermined duration afterthe end-time of the reservation has been reached. For example, when thecontroller module 120 queries the guest database 136 for a detected MACaddress at step 1402, the detected MAC address may be found at step 1402to be associated with a particular guest's reservation being associatedwith the MAC address up to two hours before the reservation indicatesthe guest is schedule to arrive and up to three hours after thereservation indicates the guest is scheduled to depart.

In other embodiments, automatically activating a service for a userdevice 102 at a hospitality establishment involves additional or otherservices besides the HSIA service. For example, FIG. 15 illustrates aguest-specific UI screen 1500 sent to a user device 102 after performingan automated check-in process according to another embodiment of theinvention. In this embodiment, the automatic service activation processas described above for FIG. 4 behaves substantially as previouslydescribed, except at step 428, in addition to automatically activatingthe HSIA service for the user's device 102, the automatic serviceactivation further involves the controller module 120 automaticallychecking the user into the hotel 101 and generating a unique door keycode for the guest's registered room.

In this embodiment, at step 428 the UI module 122 sends the UI screen1500 to the user device 102 for display to the guest. The UI screen 1500includes a first message 1502 informing the guest that they have beenautomatically checked-in to a particular guest room (e.g., “Room 101” inthis example). An upgrade button 1510 allows the guest to upgrade theirroom to a higher priced room; additional fees may apply and thereforethe UI screen 1500 allows the hotel to upsell their more profitablerooms.

A room access key 1504 is included to allow the guest to open the doorlocks on their assigned room. In this embodiment, the room access key1504 is a QR Code® embedding an access code that will be accepted by anoptical scanner near the room's door and will cause the door to unlock.(QR Code is registered trademark of DENSO WAVE INCORPORATED.) The accesscode may be randomly generated by the controller module 120 so that thecode is unique for each new guest registered for the room. Previousguests of the room are thereby unable to open the door after check-outto ensure security.

A third message 1506 of the UI screen 1500 informs the guest that theHSIA service at the hotel 101 has been automatically activated for theuser device 102. As shown, the HSIA service in this example wasautomatically activated for the guest's device at 256 kbit/s; however,an upgrade button 1512 allows the guest to upgrade their bandwidth to ahigher speed. Again, additional fees may apply and therefore the UIscreen 1500 allows the hotel to upsell bandwidth. Upgrades for any ofthe services automatically activated at step 428 or other services inthe hotel may be offered via UI screen 1500 in a similar manner.

Additionally, a fourth message 1508 informs the guest of otherguest-specific information related to their stay at the hotel 101 suchas the applicable check-out time.

In some embodiments, the UI screen 1500 may be sent to a predeterminedapplication running on the guest's user device. For example, a user mayhave a user profile such as illustrated in FIG. 9 associating theirmobile phone with their loyalty program member identifier at a hotel101. The guest may then make a reservation at the hotel 101 for acertain date and specify their loyalty program member identifier in thereservation. On the date of the reservation, the user may simply arriveat the hotel lobby and utilize their mobile phone to connect to thehotel's wireless network (e.g., by wirelessly associating the mobilephone with an AP 142 at the hotel).

Upon wireless connection with the hotel's wireless network, apredetermined application running on the guest's user mobile phonedetects the connection with the hotel 101 and receives theguest-specific UI screen 1500 from the UI module 122 via the hotel LAN104. The application may then present itself to the user and display theguest-specific UI screen 1500. In this way, the guest is automaticallychecked in to the hotel upon arrival by the service controller 106recognizing the user's mobile device's identifier on the LAN 104, andthe user is not required to interact with front desk staff at the hotel.The information and door key for the guest's stay is transmitted totheir mobile phone, which is also automatically authorized for Internetaccess.

In other embodiments, rather than the predetermined applicationautomatically detecting the connection to the hotel LAN 104, the usermay be required to manually start the predetermined application uponarrival at the hotel 101. In yet other embodiments, rather than sendingthe UI screen 1500 to a predetermined application, the UI screen 1500may represent a webpage accessible by the user device such as when theuser navigates to a predetermined web address. The predetermined webaddress may be included on a confirmation of the reservation and sent tothe mobile device prior to arrival such as via confirmation email to theuser.

In yet other embodiments, the user device may be caused to display theUI screen 1500 upon arrival at the hotel 101 similar to how a userdevice 102 is caused to display a login portal at step 304, for example,by redirecting the user's first web access request to the UI module 124to receive the UI screen 1500.

Although not a requirement, the invention is well suited toincorporation in loyalty programs. For example, as a benefit of theloyalty program, members are automatically logged in at participatingvenues and automatically receive customized network access on theirpersonal devices. Higher HSIA bandwidth and access entitlements from agreater number of zones may be automatically provided, for example. Theentitlements may be automatically increased as the loyalty programmember accumulates points in some embodiments. A loyalty program userconfiguration web page such as illustrated in FIG. 9 may allow users toassociate themselves with different MAC addresses such as after theypurchase a new device. Similarly the page may allow them to de-associatethemselves if they are no longer using a device having a particular MACaddress.

To further increase security, the system 100 may also spot conflictssuch as when user devices 102 using the same MAC address aresimultaneously connected at different hospitality establishments. Upondetection of such a conflict (either in real time or at a later datesuch when running a report), the MAC address may be automaticallyblocked from being associated with user IDs. The user ID may also beflagged for follow-up examination or to require manual login.

To prevent a guest of a hospitality establishment detecting anotherguest's MAC address (i.e., to use for MAC spoofing purposes), allwireless connections between user devices 102 and wireless APs 142 maybe encrypted, and all wired connections between user devices 102 andswitches 140 may be isolated from other wired connections. In this way,eavesdropping of other user device's 102 MAC addresses is prevented.

In some embodiments, determining whether a hotel guest is associatedwith a detected device ID (at step 404 shown in FIG. 4 and FIG. 14) maybe enhanced by further confirming that the guest is also an authorizeduser of the zone 144 at which the user device 102 is currently located.The automatic service activation at step 428 may only take place whenthe user device 102 is located in an authorized zone.

For example, the controller module 102 may query the guest database 136of the hotel 101 to determine an authorized zone 144 of the hospitalityestablishment for which the particular guest is authorized. Taking the“User-B” in room “101” as shown in FIG. 6, this user may be determinedby the controller module 120 to be authorized for the guest rooms zone144 of the hotel 101. The controller module 120 then detects a currentzone within the hotel 101 at which the user device is located. Forexample, this may be performed utilizing similar techniques aspreviously described for determining the source zone at step 306 of FIG.3. The controller module 120 thereafter automatically activates the HSIAservice for the user device 102 at step 428 when the current zonematches the authorized zone. In this way, the HSIA service is onlyactivated for the guest when they move into the guest rooms zone 144 ofthe hotel. If the guest is in another zone 144 such as a conference roomor staff admin zone 144, the HSIA service is not automaticallyactivated.

In a preferred embodiment, the guest database 136 corresponds to aproperty management system (PMS) of the hospitality establishment.Although the guest database 136 has generally been described as actuallybeing the hotel's PMS, in some embodiments, the guest database 136 mayin fact be a cached version of the PMS data for all rooms in the hotel.This is beneficial when the hotel 101 already has a dedicated PMS. Inorder to check if a guest of the hotel is associated with a particularuser ID of the hotel, the controller module 120 simply queries the PMSdata (whether a cached version or not). The user ID may be the guest'sname, or the user ID may be a more specific guest identifier such as aloyalty program number associated with the guest. Using a more specificuser identifier such as loyalty program number is beneficial to avoidambiguities caused by many people having the same name.

In an exemplary embodiment, the hotel 101 may offer all users the samedefault access level in which case all new user devices automaticallyreceive the same access levels when the service is activated at step428. In another exemplary embodiment, when the new user device isconnected to “Conference room A”, assuming the user ID associated withthe client device is a current guest and is registered for Conferenceroom A, the client device may be automatically authorized for the HSIAservice from the Lobby zone, Conference room A zone, and Guest roomszone. In yet another exemplary embodiment, when the MAC address of theuser device 102 is associated with a user ID at the VIP level, assumingthe user ID correlated with a registered guest in the hotel's PMS (thismay also involve confirming the user device is connected to the specificroom/zone for which the guest is registered), the user device 102 isautomatically authorized to access the HSIA service for all zones in thehotel.

In an exemplary embodiment, automatic service activation is performedfor a user device in response to receiving DHCP address configurationmessages when the device's MAC address is correlated to a user ID thatmatches a guest at the hospitality establishment. A service controller106 includes a network interface 112 for coupling to a LAN 104 of ahospitality establishment such as hotel 101, and one or more processors118 coupled to the network interface 112. The one or more processors 118are configured to detect a device identifier such as a MAC address of auser device 102 on a LAN 104 of the hospitality establishment, determinewhether a guest of the hospitality establishment is associated with thedevice identifier; and automatically activate a service for the userdevice 101 at the hospitality establishment in response to detecting thedevice identifier on the LAN 104 when a guest of the hospitalityestablishment is determined to be associated with the device identifier.

Although the invention has been described in connection with a preferredembodiment, it should be understood that various modifications,additions and alterations may be made to the invention by one skilled inthe art.

For example, although the invention has been described as being utilizedat a hotel 101, the invention is equally applicable to any hospitalityrelated establishment or service wishing to automatically activateservices for user devices including but not limited to hotels, motels,resorts, conference centers, hospitals, apartment/townhouse complexes,restaurants, retirement centers, cruise ships, busses, airlines,shopping centers, passenger trains, etc. The invention may also bebeneficially employed in other applications outside the hospitalityindustry such as by corporations or any other entity wishing toautomatically activate a service for certain user devices.

In another example modification, messages other than DHCP may beutilized to detect a device identifier on the LAN 104 of the hospitalityestablishment at step 400, for example, any message (packet, frame, etc)received at the service controller 106. Additionally, different types ofdevice identifiers other than MAC addresses may be utilized to identifyuser devices 102 in other embodiments, for example, subscriberidentifier module (SIM) card numbers, Internet protocol (IP) addresses,hardware or software serial numbers, etc.

In another example modification, rather than only activating the HSIAservice at step 428 for the single MAC address of the user device 102that was detected on the LAN 104, the controller module 120 mayautomatically activate the HSIA service for the MAC addresses of all ofthe user devices 102 associated with the user in columns 902 and 904 ofFIG. 9. In other words, when the exemplary user of FIG. 9 arrives at anew hotel and connects their mobile phone to the hotel LAN 104, theprocess of FIG. 4 proceeds as previously described except at step 428the HSIA service is activated for all three of the user's devices aslisted on the user's profile (e.g., the user's mobile phone, corporatenetbook, and teleconferencing webcam).

The various separate elements, features, and modules of the inventiondescribed above may be integrated or combined into single units.Similarly, functions of single elements, features, and modules may beseparated into multiple units.

The modules may be implemented as dedicated hardware modules, and themodules may also be implemented as one or more software programsexecuted by a general or specific purpose processor to cause theprocessor to operate pursuant to the software program to perform theabove-described module functions. In some embodiments, rather than asingle integrated service controller 106 having each of the modules 120,122, 124, 126, 128 illustrated in FIG. 1, the service controller 106only includes the controller module 120; the other modules 122, 124,126, 128 and their associated data are implemented on one or moreseparate computer servers.

The flowcharts may be implemented as processes executed by dedicatedhardware, and may also be implemented as one or more software programsexecuted by a general or specific purpose processor(s) 118 to cause theprocessor(s) 118 to operate pursuant to the software program to performthe flowchart steps. For example, a computer-readable medium such asmodule storage device 114 stores computer executable instructions thatwhen executed by a computer cause the computer to performabove-described steps of FIG. 3, FIG. 4, FIG. 10, FIG. 12, and FIG. 14.Examples of the computer-readable medium include optical media (e.g.,CD-ROM, DVD discs), magnetic media (e.g., hard drives, diskettes), andother electronically readable media such as flash storage devices andmemory devices (e.g., RAM, ROM).

The computer-readable medium may be local to the computer executing theinstructions, or may be remote to this computer such as when coupled tothe computer via a computer network. For example, the service controller106 of FIG. 1 may be implemented by a computer having one or moreprocessors 118 executing a computer program loaded from a hard drive orother non-transitory storage medium located within the computer orelsewhere to perform the steps of the various flowcharts and abovedescription. In one embodiment, the computer is a computer serverconnected to a network such as the Internet 108 and the computer programstored in the hard drive may be dynamically updated by an update server(not shown) coupled to the Internet 108. In addition to a dedicatedphysical computing device, the word “server” may also mean a singlecomputer, virtual computer, or shared physical computer, for example.

Unless otherwise specified, features described may be implemented inhardware or software according to different design requirements.Additionally, all combinations and permutations of the above describedfeatures and embodiments may be utilized in conjunction with theinvention.

What is claimed is:
 1. An apparatus for controlling automatic check-inat a hospitality establishment, the apparatus comprising: a storagedevice; a network interface for coupling to a computer network of thehospitality establishment; and one or more processors coupled to thestorage device and the network interface; wherein, by the one or moreprocessors executing a plurality of software instructions loaded fromthe storage device, the one or more processors are configured to: detecta device identifier of a user device in network traffic transmitted onthe computer network of the hospitality establishment; search a set ofauthorized user devices to determine whether the device identifiercorresponds to any locally recognized user device at the hospitalityestablishment; in response to determining that the device identifiercorresponds to a locally recognized user device, take no further actionbecause a firewall at the hospitality establishment has already beenconfigured with one or more device-specific rules for the locallyrecognized user device; in response to determining that the deviceidentifier does not correspond to any locally recognized user device atthe hospitality establishment, query one or more databases of thehospitality establishment to determine whether the device identifier isassociated with a new guest registered for a particular room of thehospitality establishment; and send a room access key to the user devicevia the computer network and configure the firewall with at least onerule allowing Internet access for the user device in response todetermining that the device identifier is associated with the new guestregistered for the particular room; wherein the room access key allowsthe new guest registered for the particular room to open a door lock ofthe particular room.
 2. The apparatus of claim 1, wherein the one ormore processors are further configured to generate the room access keyto be different for each new guest registered for the particular room.3. The apparatus of claim 1, wherein the room access key comprising a QRcode for display on a user interface and acceptance by an opticalscanner near the door lock of the particular room.
 4. The apparatus ofclaim 1, wherein, when querying the one or more databases of thehospitality establishment to determine whether the device identifier isassociated with the new guest registered for the particular room, theone or more processors are configured to query a reservation database ofthe hospitality establishment to determine whether the device identifiercorresponds to a registered device of an active reservation of thehospitality establishment.
 5. The apparatus of claim 4, wherein aparticular reservation of the hospitality establishment is defined asthe active reservation when a start-time of the particular reservationhas been reached and an end-time of the particular reservation has notyet been reached.
 6. The apparatus of claim 4, wherein a particularreservation of the hospitality establishment is defined as the activereservation when a current time is within a first predetermined durationbefore a start-time of the particular reservation or when the currenttime is within a second predetermined duration after an end-time of theparticular reservation.
 7. The apparatus of claim 4, wherein thereservation database stores a plurality of guest reservations of thehospitality establishment and each of the guest reservations may includeone or more registered devices.
 8. The apparatus of claim 4, wherein thereservation database is a property management system (PMS) of thehospitality establishment.
 9. The apparatus of claim 1, wherein, whenquerying the one or more databases of the hospitality establishment todetermine whether the device identifier is associated with the new guestregistered for the particular room, the one or more processors areconfigured to: query a user profile database via an external network tofind a particular user identifier that is associated with the deviceidentifier, wherein the user profile database is remote from thehospitality establishment and stores associations between one or moredevice identifiers and one or more user identifiers; and in response tofinding the particular user identifier that is associated with thedevice identifier from the user profile database, query a guest databaseof the hospitality establishment to determine whether the particularuser identifier is associated with a current guest of the hospitalityestablishment, wherein the guest database of the hospitalityestablishment stores user identifiers of currently registered guests forguest rooms of the hospitality establishment.
 10. The apparatus of claim1, wherein the one or more processors are further configured to activateInternet access for the user device at the hospitality establishment inresponse to determining that the device identifier is associated withthe new guest registered for the particular room, thereby preventing theuser device from needing to display a login portal before gainingInternet access from the computer network.
 11. A method of automaticcheck-in at a hospitality establishment, the method comprising:detecting a device identifier of a user device in network traffictransmitted on a computer network of the hospitality establishment;searching a set of authorized user devices to determine whether thedevice identifier corresponds to any locally recognized user device atthe hospitality establishment; in response to determining that thedevice identifier corresponds to a locally recognized user device,taking no further action because a firewall at the hospitalityestablishment has already been configured with one or moredevice-specific rules for the locally recognized user device; inresponse to determining that the device identifier does not correspondto any locally recognized user device at the hospitality establishment,querying one or more databases of the hospitality establishment todetermine whether the device identifier is associated with a new guestregistered for a particular room of the hospitality establishment; andsending a room access key to the user device via the computer networkand configuring the firewall with at least one rule allowing Internetaccess for the user device in response to determining that the deviceidentifier is associated with the new guest registered for theparticular room; wherein the room access key allows the new guestregistered for the particular room to open a door lock of the particularroom.
 12. The method of claim 11, further comprising generating the roomaccess key to be different for each new guest registered for theparticular room.
 13. The method of claim 11, wherein the room access keycomprises a QR code for display on a user interface and acceptance by anoptical scanner near the door lock of the particular room.
 14. Themethod of claim 11, wherein querying the one or more databases of thehospitality establishment to determine whether the device identifier isassociated with the new guest registered for the particular roomcomprises querying a reservation database of the hospitalityestablishment to determine whether the device identifier corresponds toa registered device of an active reservation of the hospitalityestablishment.
 15. The method of claim 14, wherein a particularreservation of the hospitality establishment is defined as the activereservation when a start-time of the particular reservation has beenreached and an end-time of the particular reservation has not yet beenreached.
 16. The method of claim 14, wherein a particular reservation ofthe hospitality establishment is defined as the active reservation whena current time is within a first predetermined duration before astart-time of the particular reservation or when the current time iswithin a second predetermined duration after an end-time of theparticular reservation.
 17. The method of claim 14, wherein thereservation database stores a plurality of guest reservations of thehospitality establishment and each of the guest reservations may includeone or more registered devices.
 18. The method of claim 14, wherein thereservation database is a property management system (PMS) of thehospitality establishment.
 19. The method of claim 11, wherein queryingthe one or more databases of the hospitality establishment to determinewhether the device identifier is associated with the new guestregistered for the particular room comprises: querying a user profiledatabase via an external network to find a particular user identifierthat is associated with the device identifier, wherein the user profiledatabase is remote from the hospitality establishment and storesassociations between one or more device identifiers and one or more useridentifiers; and in response to finding the particular user identifierthat is associated with the device identifier from the user profiledatabase, querying a guest database of the hospitality establishment todetermine whether the particular user identifier is associated with acurrent guest of the hospitality establishment, wherein the guestdatabase of the hospitality establishment stores user identifiers ofcurrently registered guests for guest rooms of the hospitalityestablishment.
 20. A non-transitory processor-readable medium comprisinga plurality of processor-executable instructions that when executed byone or more processors cause the one or more processors to perform stepsof: detecting a device identifier of a user device in network traffictransmitted on a computer network of a hospitality establishment;searching a set of authorized user devices to determine whether thedevice identifier corresponds to any locally recognized user device atthe hospitality establishment; in response to determining that thedevice identifier corresponds to a locally recognized user device,taking no further action because a firewall at the hospitalityestablishment has already been configured with one or moredevice-specific rules for the locally recognized user device; inresponse to determining that the device identifier does not correspondto any locally recognized user device at the hospitality establishment,querying one or more databases of the hospitality establishment todetermine whether the device identifier is associated with a new guestregistered for a particular room of the hospitality establishment; andsending a room access key to the user device via the computer networkand configuring the firewall with at least one rule allowing Internetaccess for the user device in response to determining that the deviceidentifier is associated with the new guest registered for theparticular room; wherein the room access key allows the new guestregistered for the particular room to open a door lock of the particularroom.